The KPC loads configuration data from a file (typically backed by a Kubernetes config map). The location of the configuration file is sourced from an environment variable. If the service is unable to retrieve the configuration data, it will not start. Refer to the configuration for details.

Service configuration structure

The recommended configuration format is YAML. The below sections describe the officially supported configuration options that influence various aspects of the service functionality. The service may support options other than the ones listed below, but those are not a part of the public API and may be changed or deleted at any time.


KPC uses its service instance name and replica ID for communication with other services and load balancing across replicas (for example, see 3/ISM). You can control the values with the following configuration options:

    name: <string>          # Service instance name, should be unique cluster-wide. "kpc" by default. <string>    # Service instance replica ID, should be unique cluster-wide. Random string by default.
  graceful-shutdown: <uint> # Allowed service graceful shutdown period in seconds. 30 seconds by default.

MQTT transport

KPC implements 1/KP protocol over MQTT that can be exposed plain, over TLS, and over websockets. Only plain MQTT is enabled by default, but you can configure up to all three interfaces to function concurrently, if necessary. MQTT over websocket interface processes client connections on /ws path of the configured port.

Below are the most important configuration options.

          # Plain MQTT over TCP transport configuration.
          enabled: <boolean>                # Enables MQTT transport; true by default.
          port: <unsigned short integer>    # Port number to expose the MQTT interface at; 1883 by default.

          # MQTT over TLS transport configuration.
          enabled: <boolean>                # Enables MQTT/TLS transport; false by default. Also can be set by the KAA_KPC_TRANSPORTS_MQTT_TLS_ENABLED environment variable.
          port: <unsigned short integer>    # Port number to expose the MQTT/TLS interface at; 8883 by default.
          cert-file: <string>               # Location of a PEM-encoded server certificate file; "/run/ssl/tls.crt" by default.
          cert-key-file: <string>           # Location of a PEM-encoded server certificate key file; "/run/ssl/tls.key" by default.
            required: <bool>                # Whether to require certificate-base client authentication. In addition to the standard client's certificate validity verification, KPC will use the configured authentication interface to perform an additional certificate check. False by default.
            trust-store-file: <string>      # Location of a PEM-encoded server trust store file; "/run/ssl/ca.crt" by default.

          # MQTT over Websocket transport configuration.
          enabled: <boolean>                # Enables MQTT/Websocket transport; false by default.
          port: <unsigned short integer>    # Port number to expose the MQTT/Websocket interface at; 9001 by default.

        plain-auth.required: <bool>         # Whether to require the client plain (username / password) configuration authentication. Applies to all MQTT-based transport. False by default.

      timeout:                              # The maximum allowed message processing duration in milliseconds, after which client message expires. KPC sets this timeout in downstream messages to other services, which must respect the timeout. Value of 0 indicates no expiration. 10,000 (10 seconds) by default.

Extension instances

Extension instances configuration is necessary for KPC to know which extension service instances are endpoint-aware, and which ones are not. By default, extensions are considered endpoint-aware. KPC will not allow endpoint communication to extensions not listed here.

kaa.kpc.extensions:            # List of extension instances
  <extension instance name>:   # Extension service instance name
    endpoint-aware: <boolean>  # Specifies whether the extension is endpoint-aware. True by default.

Kaa applications

Many Kaa services can be configured for different behavior depending on the application version of the endpoint the processed data relates to. This is called appversion-specific behavior and is handled in service configurations under kaa.applications. Alternatively, the application-specific configuration can be sourced from Kaa Tekton. See the Tekton configuration section to find out how to configure such integration.

KPC supports configuring a whitelist of allowed extension services per each application version. KPC will only allow endpoints to communicate to extension service instances listed in their application version. This configuration is optional, and no filtering occurs if the list of extensions is not configured.

    <application 1 name>:
        <application 1 version 1 name>:
          # List of names of extension service instances that endpoints in this application version are allowed to
          # communicate with. Optional.
          - <service instance name>
        <application 1 version 2 name>:  # Multiple application versions can be configured under the "versions" key
    <application 2 name>:                # Multiple applications can be configured under the "applications" key

For example:

        kettle_v1:  # "kettle_v1" application version is configured with no filtering by extensions
        kettle_v2:  # "kettle_v2" only allows "dcx" and "epmx" extension instances
          - dcx
          - epmx
        kettle_v3:  # "kettle_v3" explicitly specifies no restriction for extension instances. No filtering occurs.

Due to the various compatibility reasons the application and application version names must be limited to lowercase latin letters (a-z), digits (0-9), dashes (-) and underscores (_).


KPC supports integration with Kaa Tekton for centralized application configuration management. The below configuration options set up the integration interface.

    enabled: <boolean>    # Enables Tekton integration. False by default. Also can be set with the KAA_TEKTON_ENABLED environment variable.
    url: <string>         # URL of the Tekton service. "http://tekton" by default. Also can be set with the KAA_TEKTON_URL environment variable.
    provider.service-instance-name: <string>  # Service instance name of the Tekton service. "tekton" by default.
    queue-length: <uint>                      # Maximum queue length for 17/SCMP messages from Tekton. 256 by default.

For the Tekton integration to function, there must be no kaa.applications key in the configuration file. Such configuration, when present, takes precedence over the Tekton-supplied application-specific configs.

Authentication interface for clients and endpoints

KPC uses the authentication interface to authenticate clients and endpoints. Use the below parameters to configure this interface.

    service-instance-name: <service instance name>  # Instance name of the service used to authenticate clients and endpoints. "cm" by default.
    timeout: <uint>                                 # Request timeout in milliseconds for all requests to ECAP Provider. 10,000 (10 seconds) by default.


The below parameters configure KPC’s connection to NATS broker, as well as the NATS message adapters used by KPC. Note that, for security reasons, in case the NATS connection requires credentials, you should set it with the environment variables.

nats.urls: <comma separated list of URL>    # NATS connection URLs. "nats://nats:4222" by default.

      concurrency: <uint>          # Number of concurrent workers to read NATS-based messages from extension service. 16 by default.
      queue-length: <uint>         # The maximum amount of messages in the ESP server queue. When the queue is full, new messages will be dropped. 64 * `kaa.esp.client.concurrency` by default.

Consider configuring concurrency options to at least match the number of CPUs available on your infrastructure.

Authentication and authorization

KPC uses OAuth2 for authentication and authorization when making REST API calls to other services.

KPC security is controlled with the following configuration options (for security reasons it is advised to set these via environment variables).

    enabled: <boolean>      # Enables authentication and authorization. False by default.
    issuer: <string>        # URL of the auth service.
    clientID: <string>      # Client ID for making requests to the auth service.
    clientSecret: <string>  # Client secret for making requests to the auth service.

Endpoint lifecycle messages receiver

KPC listens to 9/ELCE endpoint connected events from other replicas of its own instance. This is necessary for detecting endpoint roaming across client connections and properly managing the message routing.

The 9/ELCE receiver interface has the following configuration options:

  concurrency: <uint>   # The maximum amount of concurrent goroutines to read and process incoming 9/ELCE NATS messages. 8 by default.
  queue-length: <uint>  # The maximum amount of messages in the ELCE receiver queue. When the queue is full, new messages will be dropped. 16 * concurrency by default.


To control the KPC management interface, use the following configuration options.

  disabled: <boolean>   # Disables the monitoring interface entirely. False by default (enabled).
  port: <uint>          # TCP port to expose the monitoring server on. 8080 by default.


KPC writes logs to stdout. By default, the service only produces logs at startup, shutdown, or in case of errors. To enable debug level logging, use the following option:

  debug: <boolean>    # Enables debug level logging, false by default (disabled).

Keep in mind that enabling debug level logging will produce significantly more log output and degrade the service performance.

Default configuration

Summarizing the above, the default KPC configuration is as follows. Note that no Kaa applications are defined by default—you have to configure those for any specific Kaa-based solution.

    name: "kpc" "<random string generated on boot>"
    disabled: false
    port: 8080
  graceful-shutdown: 30 # seconds
  debug: false

          enabled: true
          port: 1883

          enabled: false
          port: 8883
          cert-file: "/run/ssl/tls.crt"
          cert-key-file: "/run/ssl/tls.key"
            required: false
            trust-store-file: "/run/ssl/ca.crt"

          enabled: false
          port: 9001

        plain-auth.required: false

      timeout: 10000 # milliseconds

      service-instance-name: cm
      timeout: 10000 # milliseconds

  applications: # none; at least one must be configured to start

      concurrency: 16
      queue-length: 1024

nats.urls: nats://nats:4222